There Is No Such Thing As NSA-Proof Email
Stay up to date with the latest headlines via email.
The following article first appeared in Mother Jones. Subscribe here for more great content from Mother Jones.
Since last June, when Edward Snowden tore the veil off the National Security Agency's vast data dragnet, Americans have been flocking to ultrasecure email services in the hopes of keeping the government out of their private business. Use of the most popular email encryption software, PGP, tripled between June and July, while revenue for the data-encryption company Silent Circle has shot up 400 percent.
But even these services may not be able to protect your email from government prying. That fact came into stark relief last Thursday, when Lavabit, the secure email service used by Snowden, abruptly shut down. Lavabit's 32-year-old founder, Ladar Levison, issued a statement saying he pulled the plug because he didn't want to be "complicit in crimes against the American people." He has since given up using email entirely, and he urges others to consider doing the same. "I would strongly recommend against entrusting your privacy to a company with physical ties to the United States," he told Mother Jones. "I honestly don't think it's possible to provide a secure service in this country."
Levison, who is reportedly under federal gag order, declined to elaborate (though he opined, based on his experience, that we're a "whisper's breath away" from becoming a society where all electronic communications are recorded and scrutinized by the government). But according to other industry insiders and cybersecurity experts, there's good reason to be wary of transmitting sensitive information via email—even if your provider claims to have iron-clad safeguards.
Tech giants, such as the Microsoft subsidiary Hotmail, regularly hand over data to the government. In fact, in the last eight months of 2012 (the most recent period for which data is available), Hotmail, Google, Facebook, and Twitter provided law enforcement authorities with information on more than 64,000 users. And that doesn't include responses to secret national security letters ordered by the Foreign Intelligence Surveillance Act Court, or FISA.
Secure emails services, such as Lavabit, are supposed to guard against this kind of snooping (as well as hackers and phishers) by encrypting email messages—turning them into gibberish that can only be read by people who have a password, or "key." Theoretically, in most cases, the email provider can't even decipher the contents, much less government agencies. But even the most secure email systems don't completely encrypt "metadata," the bits of identifying information that accompany messages, such as the sender's name and IP address; the subject line; and the date and time the message was sent. Matthew Green, an encryption expert at Johns Hopkins University, says the government can tell a lot about a person from these details. "If you can map out who someone has talked to, that's almost as useful as knowing what they were talking about," he explained, "especially if you're trying to map out a criminal conspiracy or find out who leaked information from reporters."
What's more, encrypted emails may actually attract NSA scrutiny. Under most circumstances, the NSA is supposed to destroy intercepted email data from US citizens. But, according to an internal NSA document that was leaked to the Guardian in June, this rule doesn't apply to "enciphered" communications—meaning the NSA can stockpile data from encrypted accounts and comb through it at will.
The federal government also has been known to press tech companies to put "back doors" in their software so it can monitor users' activity and, in some cases, read encrypted messages. According to Green, this is easy to do, technologically. "The company simply puts out a software update. You download it. Suddenly, what you thought was a secure end-to-end email system is now being read by the government."